Answer-first summary for fast verification
Answer: Use customer-supplied encryption keys to manage the data encryption key (DEK).
The correct answer is C because Customer-Supplied Encryption Keys (CSEK) allow you to provide your own encryption key generated on-premises, which is used as the data encryption key (DEK) in Google Cloud Storage. According to Google's documentation, the raw CSEK is used to unwrap wrapped chunk keys, creating raw chunk keys in memory that serve as the DEKs for your data. This aligns with the requirement to use an on-premises-generated key in the encryption process. Options A and B are incorrect because they involve Cloud KMS, which manages keys within Google Cloud, not on-premises. Option D is incorrect because while CSEK can be used as a key encryption key (KEK) in some contexts, the specific documentation for Cloud Storage states that the CSEK is used as the DEK, and KEK management typically remains with Google Cloud services like KMS.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
Your company stores sensitive data in Cloud Storage and requires the encryption process to use a key that is generated on-premises. What should you do?
A
Use the Cloud Key Management Service to manage a data encryption key (DEK).
B
Use the Cloud Key Management Service to manage a key encryption key (KEK).
C
Use customer-supplied encryption keys to manage the data encryption key (DEK).
D
Use customer-supplied encryption keys to manage the key encryption key (KEK).
No comments yet.